Home IDP Discovery Login Flow

[saloniGargFEDev]

Description

Overview

We are introducing a new user login flow for the Catena-X Dataspace. This flow will utilize IDP-Discovery, eliminating the need for users to actively select their Identity Provider (IDP). Instead, the system will manage IDP selection based on the user's email address. This new flow aims to streamline the user experience and improve the login process.

What's the benefit?

The new user login flow with IDP-Discovery brings significant benefits, including a more streamlined and user-friendly login process, enhanced security, and better management capabilities. It positions Catena-X Dataspace for future growth and scalability while contributing valuable improvements to the Keycloak community.

Implementation Details

Current Flow

• User navigates to the login page.
• User selects their Identity Provider (IDP) from a list.
• User enters their login credentials.
• User is authenticated and logged in.

New Flow (IDP-Discovery)

• User navigates to the login page.
• User enters their email address.
• System validates the email address.
• System discovers the associated IDP(s) based on the email domain:
• If a single IDP is discovered:
• User is forwarded directly to the login page of the discovered IDP.
• If multiple IDPs are discovered:
• User is forwarded to a company login selection page to choose the appropriate IDP.
• User enters their password/authentication details.
• User is authenticated and logged in.

Impacted Products

Keycloak

Adjustments to the login flow to implement IDP-Discovery.

Modification of authentication logic to validate email and discover IDPs.

Keycloak Login Themes

Update to the login page UI to accommodate email input for IDP-Discovery.

Design and implementation of the company login selection page.

Currently we(Cofinity-X) have implemented this using https://www.keycloakify.dev/
This is a React implmentation of Native Keycloak Themes

What are the Risks?

None

Acceptance Criteria

• Authentication flow of the user based on domain
• User is redirected to IDP page where, if the user account is connected with more than 1 IDP, all the valid IDP are being shown
• User is able to login to their desired IDP (if they have account)

Additional Information

If this feature is implemented, this will be new login flow, making the old way of login redundant. I want to propose use of keycloakify-starter repo which is in React and makes customisation of themes easier.

• Through this, we do not have to be tightly coupled with keycloak's template DOM and have freedom to move around elements.
• This has a storybook
• We can utilize state management to show complex functionalities if needed.
• We can utilise shared components library components in the login pages as well to maintain uniformity.
• We can have better user experience based on UX research.